Cyber Posture

CVE-2025-2311

Critical

Published: 20 March 2025

Published
20 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Security Summary

CVE-2025-2311 is a vulnerability involving incorrect use of privileged APIs, cleartext transmission of sensitive information, and insufficiently protected credentials in SecHard from Sechard Information Technologies. It affects versions of SecHard prior to 3.3.0.20220411 and enables authentication bypass, interface manipulation, authentication abuse, and harvesting information via API event monitoring. The vulnerability is associated with CWE-319 (cleartext transmission of sensitive information), CWE-522 (insufficiently protected credentials), and CWE-648 (incorrect use of privileged APIs), earning a CVSS v3.1 base score of 9.0.

Attackers can exploit this vulnerability over an adjacent network (AV:A) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). Successful exploitation changes the scope (S:C) and results in high impacts to confidentiality, integrity, and availability (C:I:A:H), allowing adversaries with initial low-level access to bypass authentication mechanisms, manipulate the interface, abuse authentication processes, and harvest sensitive information through API event monitoring.

Mitigation involves upgrading to SecHard version 3.3.0.20220411 or later, as the issue affects only prior versions. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-25-0074.

Details

CWE(s)
CWE-319CWE-522CWE-648

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
attack.mitre.org →
T1556 Modify Authentication Process Defense Impairment
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Auth bypass and privileged API misuse enable T1068 (priv esc) and T1556 (auth process abuse); cleartext/insufficient creds map to T1552 and T1040 (sniffing); API monitoring enables T1005 (data harvesting).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References